npm - @vinaes/succ - Versions diffs - 1.4.0 → 1.5.37 - Mend

@vinaes/succ 1.4.0 → 1.5.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (683) hide show

package/README.md +64 -10
package/dist/cli.js +71 -1
package/dist/cli.js.map +1 -1
package/dist/commands/agents-md.d.ts.map +1 -1
package/dist/commands/agents-md.js +3 -2
package/dist/commands/agents-md.js.map +1 -1
package/dist/commands/analyze-profile.d.ts.map +1 -1
package/dist/commands/analyze-profile.js +32 -8
package/dist/commands/analyze-profile.js.map +1 -1
package/dist/commands/analyze-recursive.d.ts.map +1 -1
package/dist/commands/analyze-recursive.js +6 -2
package/dist/commands/analyze-recursive.js.map +1 -1
package/dist/commands/analyze-utils.d.ts.map +1 -1
package/dist/commands/analyze-utils.js +17 -4
package/dist/commands/analyze-utils.js.map +1 -1
package/dist/commands/benchmark-quality.d.ts.map +1 -1
package/dist/commands/benchmark-quality.js +11 -4
package/dist/commands/benchmark-quality.js.map +1 -1
package/dist/commands/benchmark-sqlite-vec.d.ts.map +1 -1
package/dist/commands/benchmark-sqlite-vec.js +4 -0
package/dist/commands/benchmark-sqlite-vec.js.map +1 -1
package/dist/commands/benchmark.d.ts.map +1 -1
package/dist/commands/benchmark.js +5 -1
package/dist/commands/benchmark.js.map +1 -1
package/dist/commands/codex-chat.d.ts +8 -0
package/dist/commands/codex-chat.d.ts.map +1 -0
package/dist/commands/codex-chat.js +161 -0
package/dist/commands/codex-chat.js.map +1 -0
package/dist/commands/config.d.ts.map +1 -1
package/dist/commands/config.js +32 -4
package/dist/commands/config.js.map +1 -1
package/dist/commands/daemon.d.ts.map +1 -1
package/dist/commands/daemon.js +13 -4
package/dist/commands/daemon.js.map +1 -1
package/dist/commands/index-code.d.ts +4 -0
package/dist/commands/index-code.d.ts.map +1 -1
package/dist/commands/index-code.js +1 -1
package/dist/commands/index-code.js.map +1 -1
package/dist/commands/init.d.ts.map +1 -1
package/dist/commands/init.js +305 -203
package/dist/commands/init.js.map +1 -1
package/dist/commands/memories.d.ts.map +1 -1
package/dist/commands/memories.js +25 -14
package/dist/commands/memories.js.map +1 -1
package/dist/commands/progress.d.ts.map +1 -1
package/dist/commands/progress.js +3 -2
package/dist/commands/progress.js.map +1 -1
package/dist/commands/reindex.d.ts.map +1 -1
package/dist/commands/reindex.js +54 -36
package/dist/commands/reindex.js.map +1 -1
package/dist/commands/retention.d.ts.map +1 -1
package/dist/commands/retention.js +7 -5
package/dist/commands/retention.js.map +1 -1
package/dist/commands/scan-code.d.ts +76 -0
package/dist/commands/scan-code.d.ts.map +1 -0
package/dist/commands/scan-code.js +385 -0
package/dist/commands/scan-code.js.map +1 -0
package/dist/commands/score.d.ts.map +1 -1
package/dist/commands/score.js +3 -2
package/dist/commands/score.js.map +1 -1
package/dist/commands/session.d.ts +33 -0
package/dist/commands/session.d.ts.map +1 -0
package/dist/commands/session.js +163 -0
package/dist/commands/session.js.map +1 -0
package/dist/commands/setup.d.ts.map +1 -1
package/dist/commands/setup.js +254 -15
package/dist/commands/setup.js.map +1 -1
package/dist/commands/soul.js +3 -2
package/dist/commands/soul.js.map +1 -1
package/dist/commands/status.d.ts.map +1 -1
package/dist/commands/status.js +14 -5
package/dist/commands/status.js.map +1 -1
package/dist/commands/watch.d.ts.map +1 -1
package/dist/commands/watch.js +13 -4
package/dist/commands/watch.js.map +1 -1
package/dist/daemon/analyzer.d.ts.map +1 -1
package/dist/daemon/analyzer.js +21 -5
package/dist/daemon/analyzer.js.map +1 -1
package/dist/daemon/client.d.ts.map +1 -1
package/dist/daemon/client.js +32 -8
package/dist/daemon/client.js.map +1 -1
package/dist/daemon/routes/analyzer.d.ts +3 -0
package/dist/daemon/routes/analyzer.d.ts.map +1 -0
package/dist/daemon/routes/analyzer.js +27 -0
package/dist/daemon/routes/analyzer.js.map +1 -0
package/dist/daemon/routes/hooks.d.ts +14 -0
package/dist/daemon/routes/hooks.d.ts.map +1 -0
package/dist/daemon/routes/hooks.js +1212 -0
package/dist/daemon/routes/hooks.js.map +1 -0
package/dist/daemon/routes/memory.d.ts +4 -0
package/dist/daemon/routes/memory.d.ts.map +1 -0
package/dist/daemon/routes/memory.js +71 -0
package/dist/daemon/routes/memory.js.map +1 -0
package/dist/daemon/routes/reflection.d.ts +10 -0
package/dist/daemon/routes/reflection.d.ts.map +1 -0
package/dist/daemon/routes/reflection.js +397 -0
package/dist/daemon/routes/reflection.js.map +1 -0
package/dist/daemon/routes/search.d.ts +5 -0
package/dist/daemon/routes/search.d.ts.map +1 -0
package/dist/daemon/routes/search.js +93 -0
package/dist/daemon/routes/search.js.map +1 -0
package/dist/daemon/routes/sessions.d.ts +3 -0
package/dist/daemon/routes/sessions.d.ts.map +1 -0
package/dist/daemon/routes/sessions.js +160 -0
package/dist/daemon/routes/sessions.js.map +1 -0
package/dist/daemon/routes/skills.d.ts +3 -0
package/dist/daemon/routes/skills.d.ts.map +1 -0
package/dist/daemon/routes/skills.js +36 -0
package/dist/daemon/routes/skills.js.map +1 -0
package/dist/daemon/routes/status.d.ts +3 -0
package/dist/daemon/routes/status.d.ts.map +1 -0
package/dist/daemon/routes/status.js +47 -0
package/dist/daemon/routes/status.js.map +1 -0
package/dist/daemon/routes/types.d.ts +240 -0
package/dist/daemon/routes/types.d.ts.map +1 -0
package/dist/daemon/routes/types.js +97 -0
package/dist/daemon/routes/types.js.map +1 -0
package/dist/daemon/routes/versioning.d.ts +27 -0
package/dist/daemon/routes/versioning.d.ts.map +1 -0
package/dist/daemon/routes/versioning.js +44 -0
package/dist/daemon/routes/versioning.js.map +1 -0
package/dist/daemon/routes/watcher.d.ts +3 -0
package/dist/daemon/routes/watcher.d.ts.map +1 -0
package/dist/daemon/routes/watcher.js +28 -0
package/dist/daemon/routes/watcher.js.map +1 -0
package/dist/daemon/service.d.ts +5 -23
package/dist/daemon/service.d.ts.map +1 -1
package/dist/daemon/service.js +177 -935
package/dist/daemon/service.js.map +1 -1
package/dist/daemon/session-processor.d.ts +4 -8
package/dist/daemon/session-processor.d.ts.map +1 -1
package/dist/daemon/session-processor.js +39 -38
package/dist/daemon/session-processor.js.map +1 -1
package/dist/lib/ai-readiness.d.ts.map +1 -1
package/dist/lib/ai-readiness.js +33 -8
package/dist/lib/ai-readiness.js.map +1 -1
package/dist/lib/analyze-state.d.ts.map +1 -1
package/dist/lib/analyze-state.js +25 -3
package/dist/lib/analyze-state.js.map +1 -1
package/dist/lib/auto-memory/consolidation.d.ts +41 -0
package/dist/lib/auto-memory/consolidation.d.ts.map +1 -0
package/dist/lib/auto-memory/consolidation.js +151 -0
package/dist/lib/auto-memory/consolidation.js.map +1 -0
package/dist/lib/bpe.d.ts.map +1 -1
package/dist/lib/bpe.js +9 -10
package/dist/lib/bpe.js.map +1 -1
package/dist/lib/brain-export.d.ts +65 -0
package/dist/lib/brain-export.d.ts.map +1 -0
package/dist/lib/brain-export.js +413 -0
package/dist/lib/brain-export.js.map +1 -0
package/dist/lib/checkpoint.d.ts.map +1 -1
package/dist/lib/checkpoint.js +22 -6
package/dist/lib/checkpoint.js.map +1 -1
package/dist/lib/chunker.d.ts.map +1 -1
package/dist/lib/chunker.js +6 -1
package/dist/lib/chunker.js.map +1 -1
package/dist/lib/claude-ws-transport.d.ts.map +1 -1
package/dist/lib/claude-ws-transport.js +12 -4
package/dist/lib/claude-ws-transport.js.map +1 -1
package/dist/lib/command-safety.d.ts +64 -0
package/dist/lib/command-safety.d.ts.map +1 -0
package/dist/lib/command-safety.js +625 -0
package/dist/lib/command-safety.js.map +1 -0
package/dist/lib/compact-briefing.d.ts.map +1 -1
package/dist/lib/compact-briefing.js +10 -13
package/dist/lib/compact-briefing.js.map +1 -1
package/dist/lib/config-defaults.d.ts.map +1 -1
package/dist/lib/config-defaults.js +3 -0
package/dist/lib/config-defaults.js.map +1 -1
package/dist/lib/config-display.d.ts +4 -0
package/dist/lib/config-display.d.ts.map +1 -1
package/dist/lib/config-display.js +6 -1
package/dist/lib/config-display.js.map +1 -1
package/dist/lib/config-types.d.ts +149 -0
package/dist/lib/config-types.d.ts.map +1 -1
package/dist/lib/config-validation.d.ts.map +1 -1
package/dist/lib/config-validation.js +5 -0
package/dist/lib/config-validation.js.map +1 -1
package/dist/lib/config.d.ts.map +1 -1
package/dist/lib/config.js +92 -9
package/dist/lib/config.js.map +1 -1
package/dist/lib/consolidate.d.ts.map +1 -1
package/dist/lib/consolidate.js +66 -47
package/dist/lib/consolidate.js.map +1 -1
package/dist/lib/content-sanitizer.d.ts +29 -0
package/dist/lib/content-sanitizer.d.ts.map +1 -0
package/dist/lib/content-sanitizer.js +72 -0
package/dist/lib/content-sanitizer.js.map +1 -0
package/dist/lib/cross-repo.d.ts +44 -0
package/dist/lib/cross-repo.d.ts.map +1 -0
package/dist/lib/cross-repo.js +108 -0
package/dist/lib/cross-repo.js.map +1 -0
package/dist/lib/daemon-port.d.ts +12 -0
package/dist/lib/daemon-port.d.ts.map +1 -0
package/dist/lib/daemon-port.js +20 -0
package/dist/lib/daemon-port.js.map +1 -0
package/dist/lib/db/auto-memory.d.ts +40 -0
package/dist/lib/db/auto-memory.d.ts.map +1 -0
package/dist/lib/db/auto-memory.js +74 -0
package/dist/lib/db/auto-memory.js.map +1 -0
package/dist/lib/db/bm25-indexes.d.ts.map +1 -1
package/dist/lib/db/bm25-indexes.js +16 -4
package/dist/lib/db/bm25-indexes.js.map +1 -1
package/dist/lib/db/documents.d.ts.map +1 -1
package/dist/lib/db/documents.js +4 -1
package/dist/lib/db/documents.js.map +1 -1
package/dist/lib/db/global-memories.d.ts +2 -10
package/dist/lib/db/global-memories.d.ts.map +1 -1
package/dist/lib/db/global-memories.js +13 -6
package/dist/lib/db/global-memories.js.map +1 -1
package/dist/lib/db/graph.d.ts +5 -1
package/dist/lib/db/graph.d.ts.map +1 -1
package/dist/lib/db/graph.js +38 -8
package/dist/lib/db/graph.js.map +1 -1
package/dist/lib/db/hybrid-search.d.ts +4 -2
package/dist/lib/db/hybrid-search.d.ts.map +1 -1
package/dist/lib/db/hybrid-search.js +29 -11
package/dist/lib/db/hybrid-search.js.map +1 -1
package/dist/lib/db/index.d.ts +6 -1
package/dist/lib/db/index.d.ts.map +1 -1
package/dist/lib/db/index.js +5 -1
package/dist/lib/db/index.js.map +1 -1
package/dist/lib/db/memories.d.ts +19 -14
package/dist/lib/db/memories.d.ts.map +1 -1
package/dist/lib/db/memories.js +100 -37
package/dist/lib/db/memories.js.map +1 -1
package/dist/lib/db/parse-helpers.d.ts +14 -0
package/dist/lib/db/parse-helpers.d.ts.map +1 -0
package/dist/lib/db/parse-helpers.js +59 -0
package/dist/lib/db/parse-helpers.js.map +1 -0
package/dist/lib/db/recall-events.d.ts +49 -0
package/dist/lib/db/recall-events.d.ts.map +1 -0
package/dist/lib/db/recall-events.js +196 -0
package/dist/lib/db/recall-events.js.map +1 -0
package/dist/lib/db/retention.d.ts +4 -3
package/dist/lib/db/retention.d.ts.map +1 -1
package/dist/lib/db/retention.js +12 -1
package/dist/lib/db/retention.js.map +1 -1
package/dist/lib/db/schema.d.ts +2 -0
package/dist/lib/db/schema.d.ts.map +1 -1
package/dist/lib/db/schema.js +140 -80
package/dist/lib/db/schema.js.map +1 -1
package/dist/lib/db/skills.d.ts.map +1 -1
package/dist/lib/db/skills.js +10 -6
package/dist/lib/db/skills.js.map +1 -1
package/dist/lib/diff-brain.d.ts +24 -0
package/dist/lib/diff-brain.d.ts.map +1 -0
package/dist/lib/diff-brain.js +114 -0
package/dist/lib/diff-brain.js.map +1 -0
package/dist/lib/diff-parser.d.ts +74 -0
package/dist/lib/diff-parser.d.ts.map +1 -0
package/dist/lib/diff-parser.js +200 -0
package/dist/lib/diff-parser.js.map +1 -0
package/dist/lib/embedding-pool.d.ts.map +1 -1
package/dist/lib/embedding-pool.js +5 -1
package/dist/lib/embedding-pool.js.map +1 -1
package/dist/lib/embeddings.d.ts +12 -0
package/dist/lib/embeddings.d.ts.map +1 -1
package/dist/lib/embeddings.js +77 -19
package/dist/lib/embeddings.js.map +1 -1
package/dist/lib/errors.d.ts +2 -0
package/dist/lib/errors.d.ts.map +1 -1
package/dist/lib/errors.js +4 -0
package/dist/lib/errors.js.map +1 -1
package/dist/lib/fault-logger.d.ts.map +1 -1
package/dist/lib/fault-logger.js +22 -7
package/dist/lib/fault-logger.js.map +1 -1
package/dist/lib/git/co-change.d.ts +39 -0
package/dist/lib/git/co-change.d.ts.map +1 -0
package/dist/lib/git/co-change.js +139 -0
package/dist/lib/git/co-change.js.map +1 -0
package/dist/lib/graph/bridge-edges.d.ts +93 -0
package/dist/lib/graph/bridge-edges.d.ts.map +1 -0
package/dist/lib/graph/bridge-edges.js +276 -0
package/dist/lib/graph/bridge-edges.js.map +1 -0
package/dist/lib/graph/centrality.d.ts +11 -0
package/dist/lib/graph/centrality.d.ts.map +1 -1
package/dist/lib/graph/centrality.js +51 -3
package/dist/lib/graph/centrality.js.map +1 -1
package/dist/lib/graph/cleanup.d.ts.map +1 -1
package/dist/lib/graph/cleanup.js +2 -1
package/dist/lib/graph/cleanup.js.map +1 -1
package/dist/lib/graph/community-detection.d.ts +17 -2
package/dist/lib/graph/community-detection.d.ts.map +1 -1
package/dist/lib/graph/community-detection.js +147 -48
package/dist/lib/graph/community-detection.js.map +1 -1
package/dist/lib/graph/community-summaries.d.ts +26 -0
package/dist/lib/graph/community-summaries.d.ts.map +1 -0
package/dist/lib/graph/community-summaries.js +130 -0
package/dist/lib/graph/community-summaries.js.map +1 -0
package/dist/lib/graph/contextual-proximity.d.ts.map +1 -1
package/dist/lib/graph/contextual-proximity.js +11 -4
package/dist/lib/graph/contextual-proximity.js.map +1 -1
package/dist/lib/graph/graphology-bridge.d.ts +101 -0
package/dist/lib/graph/graphology-bridge.d.ts.map +1 -0
package/dist/lib/graph/graphology-bridge.js +488 -0
package/dist/lib/graph/graphology-bridge.js.map +1 -0
package/dist/lib/graph/llm-relations.d.ts.map +1 -1
package/dist/lib/graph/llm-relations.js +27 -5
package/dist/lib/graph/llm-relations.js.map +1 -1
package/dist/lib/graph-export.d.ts.map +1 -1
package/dist/lib/graph-export.js +2 -2
package/dist/lib/graph-export.js.map +1 -1
package/dist/lib/graph-scheduler.d.ts +0 -5
package/dist/lib/graph-scheduler.d.ts.map +1 -1
package/dist/lib/graph-scheduler.js +5 -1
package/dist/lib/graph-scheduler.js.map +1 -1
package/dist/lib/guardrails.d.ts +50 -0
package/dist/lib/guardrails.d.ts.map +1 -0
package/dist/lib/guardrails.js +502 -0
package/dist/lib/guardrails.js.map +1 -0
package/dist/lib/hook-rules.d.ts +1 -1
package/dist/lib/hook-rules.d.ts.map +1 -1
package/dist/lib/hook-rules.js +8 -2
package/dist/lib/hook-rules.js.map +1 -1
package/dist/lib/ifc/file-labels.d.ts +35 -0
package/dist/lib/ifc/file-labels.d.ts.map +1 -0
package/dist/lib/ifc/file-labels.js +208 -0
package/dist/lib/ifc/file-labels.js.map +1 -0
package/dist/lib/ifc/label.d.ts +38 -0
package/dist/lib/ifc/label.d.ts.map +1 -0
package/dist/lib/ifc/label.js +80 -0
package/dist/lib/ifc/label.js.map +1 -0
package/dist/lib/ifc/session-ifc.d.ts +92 -0
package/dist/lib/ifc/session-ifc.d.ts.map +1 -0
package/dist/lib/ifc/session-ifc.js +222 -0
package/dist/lib/ifc/session-ifc.js.map +1 -0
package/dist/lib/indexer.js +2 -2
package/dist/lib/indexer.js.map +1 -1
package/dist/lib/injection-detector.d.ts +83 -0
package/dist/lib/injection-detector.d.ts.map +1 -0
package/dist/lib/injection-detector.js +586 -0
package/dist/lib/injection-detector.js.map +1 -0
package/dist/lib/injection-semantic.d.ts +31 -0
package/dist/lib/injection-semantic.d.ts.map +1 -0
package/dist/lib/injection-semantic.js +230 -0
package/dist/lib/injection-semantic.js.map +1 -0
package/dist/lib/llm.d.ts.map +1 -1
package/dist/lib/llm.js +19 -4
package/dist/lib/llm.js.map +1 -1
package/dist/lib/lock.d.ts.map +1 -1
package/dist/lib/lock.js +24 -3
package/dist/lib/lock.js.map +1 -1
package/dist/lib/md-fetch.d.ts.map +1 -1
package/dist/lib/md-fetch.js +9 -2
package/dist/lib/md-fetch.js.map +1 -1
package/dist/lib/observability.d.ts +75 -0
package/dist/lib/observability.d.ts.map +1 -0
package/dist/lib/observability.js +201 -0
package/dist/lib/observability.js.map +1 -0
package/dist/lib/ort-session.d.ts +26 -0
package/dist/lib/ort-session.d.ts.map +1 -1
package/dist/lib/ort-session.js +107 -3
package/dist/lib/ort-session.js.map +1 -1
package/dist/lib/prd/codebase-context.d.ts.map +1 -1
package/dist/lib/prd/codebase-context.js +9 -2
package/dist/lib/prd/codebase-context.js.map +1 -1
package/dist/lib/prd/context.d.ts.map +1 -1
package/dist/lib/prd/context.js +11 -3
package/dist/lib/prd/context.js.map +1 -1
package/dist/lib/prd/export.js +1 -1
package/dist/lib/prd/export.js.map +1 -1
package/dist/lib/prd/generate.d.ts.map +1 -1
package/dist/lib/prd/generate.js +17 -4
package/dist/lib/prd/generate.js.map +1 -1
package/dist/lib/prd/parse.d.ts.map +1 -1
package/dist/lib/prd/parse.js +6 -1
package/dist/lib/prd/parse.js.map +1 -1
package/dist/lib/prd/runner.d.ts +1 -2
package/dist/lib/prd/runner.d.ts.map +1 -1
package/dist/lib/prd/runner.js +43 -32
package/dist/lib/prd/runner.js.map +1 -1
package/dist/lib/prd/worktree.d.ts +1 -2
package/dist/lib/prd/worktree.d.ts.map +1 -1
package/dist/lib/prd/worktree.js +62 -70
package/dist/lib/prd/worktree.js.map +1 -1
package/dist/lib/precompute-context.d.ts.map +1 -1
package/dist/lib/precompute-context.js +15 -34
package/dist/lib/precompute-context.js.map +1 -1
package/dist/lib/pricing.d.ts.map +1 -1
package/dist/lib/pricing.js +5 -1
package/dist/lib/pricing.js.map +1 -1
package/dist/lib/process-registry.js +3 -3
package/dist/lib/process-registry.js.map +1 -1
package/dist/lib/public-api.d.ts +41 -1
package/dist/lib/public-api.d.ts.map +1 -1
package/dist/lib/public-api.js +38 -0
package/dist/lib/public-api.js.map +1 -1
package/dist/lib/quality.d.ts.map +1 -1
package/dist/lib/quality.js +15 -6
package/dist/lib/quality.js.map +1 -1
package/dist/lib/query-expansion.d.ts +32 -0
package/dist/lib/query-expansion.d.ts.map +1 -1
package/dist/lib/query-expansion.js +62 -1
package/dist/lib/query-expansion.js.map +1 -1
package/dist/lib/reference-embeddings.d.ts.map +1 -1
package/dist/lib/reference-embeddings.js +17 -4
package/dist/lib/reference-embeddings.js.map +1 -1
package/dist/lib/reflection-synthesizer.d.ts.map +1 -1
package/dist/lib/reflection-synthesizer.js +7 -1
package/dist/lib/reflection-synthesizer.js.map +1 -1
package/dist/lib/reranker.d.ts +41 -0
package/dist/lib/reranker.d.ts.map +1 -0
package/dist/lib/reranker.js +294 -0
package/dist/lib/reranker.js.map +1 -0
package/dist/lib/retrieval-feedback.d.ts +100 -0
package/dist/lib/retrieval-feedback.d.ts.map +1 -0
package/dist/lib/retrieval-feedback.js +174 -0
package/dist/lib/retrieval-feedback.js.map +1 -0
package/dist/lib/review/context-pack.d.ts +58 -0
package/dist/lib/review/context-pack.d.ts.map +1 -0
package/dist/lib/review/context-pack.js +300 -0
package/dist/lib/review/context-pack.js.map +1 -0
package/dist/lib/search/hierarchical-summaries.d.ts +65 -0
package/dist/lib/search/hierarchical-summaries.d.ts.map +1 -0
package/dist/lib/search/hierarchical-summaries.js +423 -0
package/dist/lib/search/hierarchical-summaries.js.map +1 -0
package/dist/lib/search/hyde.d.ts +27 -0
package/dist/lib/search/hyde.d.ts.map +1 -0
package/dist/lib/search/hyde.js +141 -0
package/dist/lib/search/hyde.js.map +1 -0
package/dist/lib/search/late-chunking.d.ts +53 -0
package/dist/lib/search/late-chunking.d.ts.map +1 -0
package/dist/lib/search/late-chunking.js +230 -0
package/dist/lib/search/late-chunking.js.map +1 -0
package/dist/lib/search/ppr-retrieval.d.ts +49 -0
package/dist/lib/search/ppr-retrieval.d.ts.map +1 -0
package/dist/lib/search/ppr-retrieval.js +135 -0
package/dist/lib/search/ppr-retrieval.js.map +1 -0
package/dist/lib/search/repo-map.d.ts +43 -0
package/dist/lib/search/repo-map.d.ts.map +1 -0
package/dist/lib/search/repo-map.js +165 -0
package/dist/lib/search/repo-map.js.map +1 -0
package/dist/lib/session-analyzer.d.ts +90 -0
package/dist/lib/session-analyzer.d.ts.map +1 -0
package/dist/lib/session-analyzer.js +467 -0
package/dist/lib/session-analyzer.js.map +1 -0
package/dist/lib/session-observations.d.ts.map +1 -1
package/dist/lib/session-observations.js +13 -3
package/dist/lib/session-observations.js.map +1 -1
package/dist/lib/session-summary.d.ts.map +1 -1
package/dist/lib/session-summary.js +57 -50
package/dist/lib/session-summary.js.map +1 -1
package/dist/lib/session-surgeon.d.ts +53 -0
package/dist/lib/session-surgeon.d.ts.map +1 -0
package/dist/lib/session-surgeon.js +501 -0
package/dist/lib/session-surgeon.js.map +1 -0
package/dist/lib/similarity-utils.d.ts +26 -0
package/dist/lib/similarity-utils.d.ts.map +1 -0
package/dist/lib/similarity-utils.js +66 -0
package/dist/lib/similarity-utils.js.map +1 -0
package/dist/lib/skills.d.ts.map +1 -1
package/dist/lib/skills.js +11 -11
package/dist/lib/skills.js.map +1 -1
package/dist/lib/storage/backends/interface.d.ts +13 -3
package/dist/lib/storage/backends/interface.d.ts.map +1 -1
package/dist/lib/storage/backends/postgresql.d.ts +52 -3
package/dist/lib/storage/backends/postgresql.d.ts.map +1 -1
package/dist/lib/storage/backends/postgresql.js +694 -49
package/dist/lib/storage/backends/postgresql.js.map +1 -1
package/dist/lib/storage/benchmark.js +2 -2
package/dist/lib/storage/benchmark.js.map +1 -1
package/dist/lib/storage/dispatcher/base.d.ts +114 -0
package/dist/lib/storage/dispatcher/base.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/base.js +160 -0
package/dist/lib/storage/dispatcher/base.js.map +1 -0
package/dist/lib/storage/dispatcher/documents.d.ts +25 -0
package/dist/lib/storage/dispatcher/documents.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/documents.js +194 -0
package/dist/lib/storage/dispatcher/documents.js.map +1 -0
package/dist/lib/storage/dispatcher/embeddings.d.ts +34 -0
package/dist/lib/storage/dispatcher/embeddings.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/embeddings.js +144 -0
package/dist/lib/storage/dispatcher/embeddings.js.map +1 -0
package/dist/lib/storage/dispatcher/export-import.d.ts +139 -0
package/dist/lib/storage/dispatcher/export-import.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/export-import.js +191 -0
package/dist/lib/storage/dispatcher/export-import.js.map +1 -0
package/dist/lib/storage/dispatcher/file-hashes.d.ts +13 -0
package/dist/lib/storage/dispatcher/file-hashes.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/file-hashes.js +36 -0
package/dist/lib/storage/dispatcher/file-hashes.js.map +1 -0
package/dist/lib/storage/dispatcher/global-memories.d.ts +28 -0
package/dist/lib/storage/dispatcher/global-memories.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/global-memories.js +151 -0
package/dist/lib/storage/dispatcher/global-memories.js.map +1 -0
package/dist/lib/storage/dispatcher/graph.d.ts +32 -0
package/dist/lib/storage/dispatcher/graph.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/graph.js +146 -0
package/dist/lib/storage/dispatcher/graph.js.map +1 -0
package/dist/lib/storage/dispatcher/index.d.ts +34 -0
package/dist/lib/storage/dispatcher/index.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/index.js +139 -0
package/dist/lib/storage/dispatcher/index.js.map +1 -0
package/dist/lib/storage/dispatcher/memories.d.ts +65 -0
package/dist/lib/storage/dispatcher/memories.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/memories.js +466 -0
package/dist/lib/storage/dispatcher/memories.js.map +1 -0
package/dist/lib/storage/dispatcher/mixin-helper.d.ts +6 -0
package/dist/lib/storage/dispatcher/mixin-helper.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/mixin-helper.js +10 -0
package/dist/lib/storage/dispatcher/mixin-helper.js.map +1 -0
package/dist/lib/storage/dispatcher/retention.d.ts +20 -0
package/dist/lib/storage/dispatcher/retention.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/retention.js +123 -0
package/dist/lib/storage/dispatcher/retention.js.map +1 -0
package/dist/lib/storage/dispatcher/search.d.ts +34 -0
package/dist/lib/storage/dispatcher/search.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/search.js +222 -0
package/dist/lib/storage/dispatcher/search.js.map +1 -0
package/dist/lib/storage/dispatcher/skills.d.ts +53 -0
package/dist/lib/storage/dispatcher/skills.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/skills.js +98 -0
package/dist/lib/storage/dispatcher/skills.js.map +1 -0
package/dist/lib/storage/dispatcher/token-stats.d.ts +23 -0
package/dist/lib/storage/dispatcher/token-stats.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/token-stats.js +92 -0
package/dist/lib/storage/dispatcher/token-stats.js.map +1 -0
package/dist/lib/storage/dispatcher/web-search.d.ts +10 -0
package/dist/lib/storage/dispatcher/web-search.d.ts.map +1 -0
package/dist/lib/storage/dispatcher/web-search.js +39 -0
package/dist/lib/storage/dispatcher/web-search.js.map +1 -0
package/dist/lib/storage/dispatcher-export.d.ts.map +1 -1
package/dist/lib/storage/dispatcher-export.js +48 -39
package/dist/lib/storage/dispatcher-export.js.map +1 -1
package/dist/lib/storage/dispatcher.d.ts +1 -468
package/dist/lib/storage/dispatcher.d.ts.map +1 -1
package/dist/lib/storage/dispatcher.js +1 -1931
package/dist/lib/storage/dispatcher.js.map +1 -1
package/dist/lib/storage/index.d.ts +20 -5
package/dist/lib/storage/index.d.ts.map +1 -1
package/dist/lib/storage/index.js +36 -7
package/dist/lib/storage/index.js.map +1 -1
package/dist/lib/storage/migration/export-import.d.ts.map +1 -1
package/dist/lib/storage/migration/export-import.js +9 -2
package/dist/lib/storage/migration/export-import.js.map +1 -1
package/dist/lib/storage/types.d.ts +152 -10
package/dist/lib/storage/types.d.ts.map +1 -1
package/dist/lib/storage/types.js +13 -0
package/dist/lib/storage/types.js.map +1 -1
package/dist/lib/storage/vector/interface.d.ts +4 -0
package/dist/lib/storage/vector/interface.d.ts.map +1 -1
package/dist/lib/storage/vector/qdrant.d.ts +13 -2
package/dist/lib/storage/vector/qdrant.d.ts.map +1 -1
package/dist/lib/storage/vector/qdrant.js +147 -61
package/dist/lib/storage/vector/qdrant.js.map +1 -1
package/dist/lib/token-budget.d.ts.map +1 -1
package/dist/lib/token-budget.js +9 -2
package/dist/lib/token-budget.js.map +1 -1
package/dist/lib/transcript-utils.d.ts +60 -0
package/dist/lib/transcript-utils.d.ts.map +1 -0
package/dist/lib/transcript-utils.js +69 -0
package/dist/lib/transcript-utils.js.map +1 -0
package/dist/lib/tree-sitter/extractor.d.ts +1 -1
package/dist/lib/tree-sitter/extractor.d.ts.map +1 -1
package/dist/lib/tree-sitter/extractor.js +34 -9
package/dist/lib/tree-sitter/extractor.js.map +1 -1
package/dist/lib/tree-sitter/parser.d.ts.map +1 -1
package/dist/lib/tree-sitter/parser.js +45 -11
package/dist/lib/tree-sitter/parser.js.map +1 -1
package/dist/lib/tree-sitter/public.d.ts +12 -0
package/dist/lib/tree-sitter/public.d.ts.map +1 -1
package/dist/lib/tree-sitter/public.js +33 -1
package/dist/lib/tree-sitter/public.js.map +1 -1
package/dist/lib/tree-sitter/queries.d.ts.map +1 -1
package/dist/lib/tree-sitter/queries.js +8 -0
package/dist/lib/tree-sitter/queries.js.map +1 -1
package/dist/lib/working-memory-pipeline.d.ts.map +1 -1
package/dist/lib/working-memory-pipeline.js +12 -3
package/dist/lib/working-memory-pipeline.js.map +1 -1
package/dist/lib/worktree-detect.d.ts +43 -0
package/dist/lib/worktree-detect.d.ts.map +1 -0
package/dist/lib/worktree-detect.js +154 -0
package/dist/lib/worktree-detect.js.map +1 -0
package/dist/lsp/client.d.ts +96 -0
package/dist/lsp/client.d.ts.map +1 -0
package/dist/lsp/client.js +435 -0
package/dist/lsp/client.js.map +1 -0
package/dist/lsp/installer.d.ts +39 -0
package/dist/lsp/installer.d.ts.map +1 -0
package/dist/lsp/installer.js +275 -0
package/dist/lsp/installer.js.map +1 -0
package/dist/lsp/manager.d.ts +62 -0
package/dist/lsp/manager.d.ts.map +1 -0
package/dist/lsp/manager.js +234 -0
package/dist/lsp/manager.js.map +1 -0
package/dist/lsp/servers.d.ts +52 -0
package/dist/lsp/servers.d.ts.map +1 -0
package/dist/lsp/servers.js +162 -0
package/dist/lsp/servers.js.map +1 -0
package/dist/mcp/helpers.d.ts.map +1 -1
package/dist/mcp/helpers.js +8 -2
package/dist/mcp/helpers.js.map +1 -1
package/dist/mcp/profile.js +1 -1
package/dist/mcp/server.d.ts +3 -2
package/dist/mcp/server.d.ts.map +1 -1
package/dist/mcp/server.js +19 -7
package/dist/mcp/server.js.map +1 -1
package/dist/mcp/tools/config.d.ts.map +1 -1
package/dist/mcp/tools/config.js +28 -118
package/dist/mcp/tools/config.js.map +1 -1
package/dist/mcp/tools/dead-end.d.ts.map +1 -1
package/dist/mcp/tools/dead-end.js +4 -3
package/dist/mcp/tools/dead-end.js.map +1 -1
package/dist/mcp/tools/debug.d.ts.map +1 -1
package/dist/mcp/tools/debug.js +27 -112
package/dist/mcp/tools/debug.js.map +1 -1
package/dist/mcp/tools/graph.d.ts.map +1 -1
package/dist/mcp/tools/graph.js +164 -176
package/dist/mcp/tools/graph.js.map +1 -1
package/dist/mcp/tools/indexing.d.ts +1 -1
package/dist/mcp/tools/indexing.d.ts.map +1 -1
package/dist/mcp/tools/indexing.js +63 -164
package/dist/mcp/tools/indexing.js.map +1 -1
package/dist/mcp/tools/memory/forget.d.ts +3 -0
package/dist/mcp/tools/memory/forget.d.ts.map +1 -0
package/dist/mcp/tools/memory/forget.js +175 -0
package/dist/mcp/tools/memory/forget.js.map +1 -0
package/dist/mcp/tools/memory/memory-helpers.d.ts +45 -0
package/dist/mcp/tools/memory/memory-helpers.d.ts.map +1 -0
package/dist/mcp/tools/memory/memory-helpers.js +291 -0
package/dist/mcp/tools/memory/memory-helpers.js.map +1 -0
package/dist/mcp/tools/memory/recall.d.ts +3 -0
package/dist/mcp/tools/memory/recall.d.ts.map +1 -0
package/dist/mcp/tools/memory/recall.js +495 -0
package/dist/mcp/tools/memory/recall.js.map +1 -0
package/dist/mcp/tools/memory/remember.d.ts +3 -0
package/dist/mcp/tools/memory/remember.d.ts.map +1 -0
package/dist/mcp/tools/memory/remember.js +256 -0
package/dist/mcp/tools/memory/remember.js.map +1 -0
package/dist/mcp/tools/memory/temporal-query.d.ts +8 -0
package/dist/mcp/tools/memory/temporal-query.d.ts.map +1 -0
package/dist/mcp/tools/memory/temporal-query.js +68 -0
package/dist/mcp/tools/memory/temporal-query.js.map +1 -0
package/dist/mcp/tools/memory.d.ts +0 -11
package/dist/mcp/tools/memory.d.ts.map +1 -1
package/dist/mcp/tools/memory.js +6 -1228
package/dist/mcp/tools/memory.js.map +1 -1
package/dist/mcp/tools/prd.d.ts.map +1 -1
package/dist/mcp/tools/prd.js +19 -70
package/dist/mcp/tools/prd.js.map +1 -1
package/dist/mcp/tools/review.d.ts +8 -0
package/dist/mcp/tools/review.d.ts.map +1 -0
package/dist/mcp/tools/review.js +133 -0
package/dist/mcp/tools/review.js.map +1 -0
package/dist/mcp/tools/search.d.ts.map +1 -1
package/dist/mcp/tools/search.js +79 -8
package/dist/mcp/tools/search.js.map +1 -1
package/dist/mcp/tools/status.d.ts.map +1 -1
package/dist/mcp/tools/status.js +34 -75
package/dist/mcp/tools/status.js.map +1 -1
package/dist/mcp/tools/web-fetch.d.ts.map +1 -1
package/dist/mcp/tools/web-fetch.js +5 -1
package/dist/mcp/tools/web-fetch.js.map +1 -1
package/dist/mcp/tools/web-search.d.ts.map +1 -1
package/dist/mcp/tools/web-search.js +25 -103
package/dist/mcp/tools/web-search.js.map +1 -1
package/dist/prompts/guardrails.d.ts +14 -0
package/dist/prompts/guardrails.d.ts.map +1 -0
package/dist/prompts/guardrails.js +115 -0
package/dist/prompts/guardrails.js.map +1 -0
package/dist/prompts/index.d.ts +2 -1
package/dist/prompts/index.d.ts.map +1 -1
package/dist/prompts/index.js +3 -1
package/dist/prompts/index.js.map +1 -1
package/dist/prompts/prd.d.ts +0 -2
package/dist/prompts/prd.d.ts.map +1 -1
package/dist/prompts/prd.js +0 -2
package/dist/prompts/prd.js.map +1 -1
package/hooks/core/__tests__/adapter.test.cjs +340 -0
package/hooks/core/adapter.cjs +463 -0
package/hooks/core/config.cjs +83 -0
package/hooks/core/daemon-boot.cjs +140 -0
package/hooks/core/log.cjs +41 -0
package/hooks/core/worktree.cjs +119 -0
package/hooks/succ-post-tool.cjs +198 -134
package/hooks/succ-pre-compact.cjs +262 -0
package/hooks/succ-pre-tool.cjs +526 -182
package/hooks/succ-session-end.cjs +40 -64
package/hooks/succ-session-start.cjs +484 -430
package/hooks/succ-stop-reflection.cjs +36 -62
package/hooks/succ-user-prompt.cjs +137 -180
package/package.json +17 -6

package/dist/lib/ifc/file-labels.js ADDED Viewed

@@ -0,0 +1,208 @@
+/**
+ * File Label Assignment — 4-layer label resolution for BLP IFC
+ *
+ * Assigns SecurityLabels to files using conservative (highest wins) layering:
+ *   1. Extension-based (deterministic, instant)
+ *   2. Path-based (deterministic, instant)
+ *   3. Content-based regex (deterministic, requires file content)
+ *   4. LLM classification (Phase 3, opt-in)
+ *
+ * Label assignment is monotonic — higher label always wins.
+ */
+import { makeLabel, join, BOTTOM, } from './label.js';
+const EXTENSION_RULES = [
+    // Highly confidential: private keys and certs
+    {
+        extensions: ['.pem', '.key', '.p12', '.pfx', '.jks', '.keystore'],
+        label: makeLabel(3, ['credentials']),
+    },
+    // Confidential: environment files with secrets
+    {
+        extensions: ['.env', '.env.local', '.env.production', '.env.staging', '.env.development'],
+        label: makeLabel(2, ['secrets', 'credentials']),
+    },
+    // Internal: config files that may contain infrastructure info
+    {
+        extensions: ['.htpasswd', '.htaccess'],
+        label: makeLabel(2, ['credentials']),
+    },
+    // Public: documentation
+    {
+        extensions: ['.md', '.txt', '.rst', '.adoc'],
+        label: BOTTOM,
+    },
+];
+function labelByExtension(filePath) {
+    const lower = filePath.toLowerCase().replace(/\\/g, '/');
+    const basename = lower.split('/').pop() || '';
+    // Check full basename match first (for .env, .env.local, .env.production, etc.)
+    for (const rule of EXTENSION_RULES) {
+        for (const ext of rule.extensions) {
+            const name = ext.slice(1); // e.g. "env", "env.local", "pem"
+            // Exact match: ".env" → basename ".env"
+            if (basename === ext || basename === name) {
+                return rule.label;
+            }
+            // Prefix match: ".env" rule matches ".env.production", ".env.staging", etc.
+            // But NOT env.sh, env.py, etc. — only .env.* or bare env files
+            if (ext === '.env' && basename.startsWith('.env.')) {
+                return rule.label;
+            }
+            // Match bare "env" followed by dot-separated qualifiers (env.local, env.production)
+            // but NOT env.sh, env.py, env.ts, etc. (script files)
+            if (ext === '.env' && basename.startsWith('env.')) {
+                const afterEnvDot = basename.slice(4); // after "env."
+                // If it looks like a file extension (2-4 chars, common code ext), skip
+                if (/^(?:sh|py|ts|js|rb|go|rs|pl|bat|cmd|ps1|php|java|c|h|cpp)$/i.test(afterEnvDot)) {
+                    // Not an env config file — skip
+                }
+                else {
+                    return rule.label;
+                }
+            }
+        }
+    }
+    // Check all extensions in compound filenames (e.g., "backup.pem.bak" → check ".bak", ".pem")
+    // This ensures security-sensitive inner extensions aren't missed when outer extension differs
+    let compoundLabel = BOTTOM;
+    let remaining = basename;
+    while (true) {
+        const dotIdx = remaining.lastIndexOf('.');
+        if (dotIdx < 0)
+            break;
+        const ext = remaining.slice(dotIdx);
+        for (const rule of EXTENSION_RULES) {
+            if (rule.extensions.includes(ext)) {
+                compoundLabel = join(compoundLabel, rule.label);
+            }
+        }
+        remaining = remaining.slice(0, dotIdx);
+    }
+    return compoundLabel;
+}
+const PATH_RULES = [
+    // Secrets directories
+    { pattern: /[/\\]secrets?[/\\]/i, label: makeLabel(3, ['secrets']) },
+    { pattern: /[/\\]\.ssh[/\\]/i, label: makeLabel(3, ['credentials']) },
+    { pattern: /[/\\]\.gnupg[/\\]/i, label: makeLabel(3, ['credentials']) },
+    { pattern: /[/\\]private[/\\]/i, label: makeLabel(2, ['credentials']) },
+    // Infrastructure
+    { pattern: /[/\\]deploy[/\\]/i, label: makeLabel(2, ['internal_infra']) },
+    { pattern: /[/\\]infrastructure[/\\]/i, label: makeLabel(2, ['internal_infra']) },
+    { pattern: /[/\\]terraform[/\\]/i, label: makeLabel(2, ['internal_infra']) },
+    { pattern: /[/\\]k8s[/\\]/i, label: makeLabel(2, ['internal_infra']) },
+    { pattern: /[/\\]kubernetes[/\\]/i, label: makeLabel(2, ['internal_infra']) },
+    { pattern: /[/\\]ansible[/\\]/i, label: makeLabel(2, ['internal_infra']) },
+    // CI/CD configs (may contain deployment secrets)
+    { pattern: /[/\\]\.github[/\\]workflows[/\\]/i, label: makeLabel(1, ['internal_infra']) },
+    { pattern: /[/\\]\.gitlab-ci\.yml$/i, label: makeLabel(1, ['internal_infra']) },
+    { pattern: /[/\\]\.circleci[/\\]/i, label: makeLabel(1, ['internal_infra']) },
+    // Skip: node_modules, .git internals — not sensitive per se
+    { pattern: /[/\\]node_modules[/\\]/i, label: BOTTOM },
+    { pattern: /[/\\]\.git[/\\]/i, label: makeLabel(1) },
+];
+function labelByPath(filePath) {
+    let normalized = filePath.replace(/\\/g, '/');
+    // Ensure repo-relative paths (e.g., "secrets/key.pem") match PATH_RULES that require /dir/ delimiters
+    if (!normalized.startsWith('/')) {
+        normalized = '/' + normalized;
+    }
+    let result = BOTTOM;
+    for (const rule of PATH_RULES) {
+        if (rule.pattern.test(normalized)) {
+            result = join(result, rule.label);
+        }
+    }
+    return result;
+}
+const CONTENT_PATTERNS = [
+    // API keys / tokens (→ secrets)
+    { pattern: /sk-(?:proj-)?[a-zA-Z0-9]{20,}/, compartments: ['secrets'], level: 3 },
+    { pattern: /sk-ant-[a-zA-Z0-9-]{20,}/, compartments: ['secrets'], level: 3 },
+    { pattern: /AKIA[0-9A-Z]{16}/, compartments: ['secrets'], level: 3 },
+    { pattern: /gh[pousr]_[a-zA-Z0-9]{36}/, compartments: ['secrets'], level: 3 },
+    { pattern: /github_pat_[a-zA-Z0-9]{22,}/, compartments: ['secrets'], level: 3 },
+    { pattern: /glpat-[a-zA-Z0-9-]{20,}/, compartments: ['secrets'], level: 3 },
+    {
+        pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/,
+        compartments: ['secrets'],
+        level: 3,
+    },
+    {
+        pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/,
+        compartments: ['secrets'],
+        level: 2,
+    },
+    // Private keys (→ credentials)
+    {
+        pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+        compartments: ['credentials'],
+        level: 3,
+    },
+    // Password assignments (→ secrets)
+    {
+        pattern: /(?:password|passwd|secret|api_key)\s*[:=]\s*['"][^'"]{8,}['"]/,
+        compartments: ['secrets'],
+        level: 2,
+    },
+    // Connection strings (→ credentials + internal_infra)
+    {
+        pattern: /(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]+@/,
+        compartments: ['credentials', 'internal_infra'],
+        level: 2,
+    },
+    // PII patterns
+    { pattern: /\b\d{3}-\d{2}-\d{4}\b/, compartments: ['pii'], level: 2 }, // SSN
+    { pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z]{2,}\b/i, compartments: ['pii'], level: 1 }, // Email (low level — very common)
+    // Internal infrastructure markers
+    {
+        pattern: /(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})/,
+        compartments: ['internal_infra'],
+        level: 1,
+    },
+];
+/**
+ * Scan file content for sensitive patterns and return accumulated label.
+ * Short-circuits if content is empty.
+ */
+export function labelByContent(content) {
+    if (!content || content.length === 0)
+        return BOTTOM;
+    let result = BOTTOM;
+    for (const { pattern, compartments, level } of CONTENT_PATTERNS) {
+        if (pattern.test(content)) {
+            result = join(result, makeLabel(level, compartments));
+        }
+    }
+    return result;
+}
+/**
+ * Resolve the security label for a file using 3 deterministic layers.
+ * Returns the join (LUB) of all applicable labels.
+ *
+ * Layer 4 (LLM classification) is handled externally in Phase 3.
+ */
+export function resolveFileLabel(filePath, options = {}) {
+    // Normalize relative paths to have path separators for path-based rules
+    const normalizedPath = filePath.includes('/') || filePath.includes('\\') ? filePath : './' + filePath;
+    let result = BOTTOM;
+    // Layer 1: Extension
+    result = join(result, labelByExtension(normalizedPath));
+    // Layer 2: Path
+    result = join(result, labelByPath(normalizedPath));
+    // Layer 3: Content (if provided)
+    if (options.content) {
+        result = join(result, labelByContent(options.content));
+    }
+    return result;
+}
+/**
+ * Quick label check — extension + path only (no content scan).
+ * Use for pre-tool checks where content isn't available yet.
+ */
+export function quickFileLabel(filePath) {
+    return join(labelByExtension(filePath), labelByPath(filePath));
+}
+// Re-export for convenience
+export { BOTTOM, makeLabel, join, isBottom, } from './label.js';
+//# sourceMappingURL=file-labels.js.map

package/dist/lib/ifc/file-labels.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"file-labels.js","sourceRoot":"","sources":["../../../src/lib/ifc/file-labels.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAIL,SAAS,EACT,IAAI,EACJ,MAAM,GACP,MAAM,YAAY,CAAC;AASpB,MAAM,eAAe,GAAoB;IACvC,8CAA8C;IAC9C;QACE,UAAU,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC;QACjE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC;KACrC;IACD,+CAA+C;IAC/C;QACE,UAAU,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,kBAAkB,CAAC;QACzF,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;KAChD;IACD,8DAA8D;IAC9D;QACE,UAAU,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC;QACtC,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC;KACrC;IACD,wBAAwB;IACxB;QACE,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC;QAC5C,KAAK,EAAE,MAAM;KACd;CACF,CAAC;AAEF,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IAE9C,gFAAgF;IAChF,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,iCAAiC;YAC5D,wCAAwC;YACxC,IAAI,QAAQ,KAAK,GAAG,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBAC1C,OAAO,IAAI,CAAC,KAAK,CAAC;YACpB,CAAC;YACD,4EAA4E;YAC5E,+DAA+D;YAC/D,IAAI,GAAG,KAAK,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC,KAAK,CAAC;YACpB,CAAC;YACD,oFAAoF;YACpF,sDAAsD;YACtD,IAAI,GAAG,KAAK,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClD,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,eAAe;gBACtD,uEAAuE;gBACvE,IAAI,6DAA6D,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACpF,gCAAgC;gBAClC,CAAC;qBAAM,CAAC;oBACN,OAAO,IAAI,CAAC,KAAK,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,6FAA6F;IAC7F,8FAA8F;IAC9F,IAAI,aAAa,GAAG,MAAM,CAAC;IAC3B,IAAI,SAAS,GAAG,QAAQ,CAAC;IACzB,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,MAAM,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,MAAM,GAAG,CAAC;YAAE,MAAM;QACtB,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACpC,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClC,aAAa,GAAG,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,aAAa,CAAC;AACvB,CAAC;AASD,MAAM,UAAU,GAAe;IAC7B,sBAAsB;IACtB,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE;IACpE,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE;IACrE,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE;IACvE,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE;IAEvE,iBAAiB;IACjB,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IACzE,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IACjF,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IAC5E,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IACtE,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IAC7E,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IAE1E,iDAAiD;IACjD,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IACzF,EAAE,OAAO,EAAE,yBAAyB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IAC/E,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE;IAE7E,4DAA4D;IAC5D,EAAE,OAAO,EAAE,yBAAyB,EAAE,KAAK,EAAE,MAAM,EAAE;IACrD,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE;CACrD,CAAC;AAEF,SAAS,WAAW,CAAC,QAAgB;IACnC,IAAI,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,sGAAsG;IACtG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,UAAU,GAAG,GAAG,GAAG,UAAU,CAAC;IAChC,CAAC;IACD,IAAI,MAAM,GAAG,MAAM,CAAC;IAEpB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YAClC,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAUD,MAAM,gBAAgB,GAAqB;IACzC,gCAAgC;IAChC,EAAE,OAAO,EAAE,+BAA+B,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;IACjF,EAAE,OAAO,EAAE,0BAA0B,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;IAC5E,EAAE,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;IACpE,EAAE,OAAO,EAAE,2BAA2B,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;IAC7E,EAAE,OAAO,EAAE,6BAA6B,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;IAC/E,EAAE,OAAO,EAAE,yBAAyB,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;IAC3E;QACE,OAAO,EAAE,sDAAsD;QAC/D,YAAY,EAAE,CAAC,SAAS,CAAC;QACzB,KAAK,EAAE,CAAC;KACT;IACD;QACE,OAAO,EAAE,sDAAsD;QAC/D,YAAY,EAAE,CAAC,SAAS,CAAC;QACzB,KAAK,EAAE,CAAC;KACT;IAED,+BAA+B;IAC/B;QACE,OAAO,EAAE,wDAAwD;QACjE,YAAY,EAAE,CAAC,aAAa,CAAC;QAC7B,KAAK,EAAE,CAAC;KACT;IAED,mCAAmC;IACnC;QACE,OAAO,EAAE,+DAA+D;QACxE,YAAY,EAAE,CAAC,SAAS,CAAC;QACzB,KAAK,EAAE,CAAC;KACT;IAED,sDAAsD;IACtD;QACE,OAAO,EAAE,mDAAmD;QAC5D,YAAY,EAAE,CAAC,aAAa,EAAE,gBAAgB,CAAC;QAC/C,KAAK,EAAE,CAAC;KACT;IAED,eAAe;IACf,EAAE,OAAO,EAAE,uBAAuB,EAAE,YAAY,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,MAAM;IAC7E,EAAE,OAAO,EAAE,kDAAkD,EAAE,YAAY,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,kCAAkC;IAEpI,kCAAkC;IAClC;QACE,OAAO,EACL,0GAA0G;QAC5G,YAAY,EAAE,CAAC,gBAAgB,CAAC;QAChC,KAAK,EAAE,CAAC;KACT;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEpD,IAAI,MAAM,GAAG,MAAM,CAAC;IAEpB,KAAK,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,gBAAgB,EAAE,CAAC;QAChE,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AASD;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,UAA4B,EAAE;IAC/E,wEAAwE;IACxE,MAAM,cAAc,GAClB,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,QAAQ,CAAC;IAEjF,IAAI,MAAM,GAAG,MAAM,CAAC;IAEpB,qBAAqB;IACrB,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,gBAAgB,CAAC,cAAc,CAAC,CAAC,CAAC;IAExD,gBAAgB;IAChB,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC;IAEnD,iCAAiC;IACjC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,OAAO,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,4BAA4B;AAC5B,OAAO,EACL,MAAM,EACN,SAAS,EACT,IAAI,EACJ,QAAQ,GAGT,MAAM,YAAY,CAAC"}

package/dist/lib/ifc/label.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Bell-LaPadula Security Label Lattice
+ *
+ * Full BLP model with compartments:
+ * - SecurityLevel: 0=public, 1=internal, 2=confidential, 3=highly_confidential
+ * - Compartments: secrets, credentials, pii, internal_infra
+ * - Lattice operations: join (LUB), dominates, isBottom, isComparable
+ *
+ * Label rules:
+ * - Labels only go UP (weak tranquility)
+ * - join(a, b) = max level + union compartments
+ * - dominates(a, b) = a.level >= b.level AND a.compartments ⊇ b.compartments
+ */
+export type SecurityLevel = 0 | 1 | 2 | 3;
+export declare const LEVEL_NAMES: Record<SecurityLevel, string>;
+export type Compartment = 'secrets' | 'credentials' | 'pii' | 'internal_infra';
+export declare const ALL_COMPARTMENTS: readonly Compartment[];
+export interface SecurityLabel {
+    readonly level: SecurityLevel;
+    readonly compartments: ReadonlySet<Compartment>;
+}
+/** The bottom of the lattice — no classification, no compartments */
+export declare const BOTTOM: SecurityLabel;
+/** Create a label */
+export declare function makeLabel(level: SecurityLevel, compartments?: Compartment[]): SecurityLabel;
+/** Least Upper Bound — max level, union of compartments */
+export declare function join(a: SecurityLabel, b: SecurityLabel): SecurityLabel;
+/** Does `a` dominate `b`? (a.level >= b.level AND a.compartments ⊇ b.compartments) */
+export declare function dominates(a: SecurityLabel, b: SecurityLabel): boolean;
+/** Is label at the bottom of the lattice? */
+export declare function isBottom(label: SecurityLabel): boolean;
+/** Are two labels comparable? (one dominates the other) */
+export declare function isComparable(a: SecurityLabel, b: SecurityLabel): boolean;
+/** Are two labels equal? */
+export declare function labelsEqual(a: SecurityLabel, b: SecurityLabel): boolean;
+/** Format label for display */
+export declare function formatLabel(label: SecurityLabel): string;
+//# sourceMappingURL=label.d.ts.map

package/dist/lib/ifc/label.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"label.d.ts","sourceRoot":"","sources":["../../../src/lib/ifc/label.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAE1C,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,CAKrD,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,aAAa,GAAG,KAAK,GAAG,gBAAgB,CAAC;AAE/E,eAAO,MAAM,gBAAgB,EAAE,SAAS,WAAW,EAKzC,CAAC;AAEX,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,YAAY,EAAE,WAAW,CAAC,WAAW,CAAC,CAAC;CACjD;AAED,qEAAqE;AACrE,eAAO,MAAM,MAAM,EAAE,aAGF,CAAC;AAEpB,qBAAqB;AACrB,wBAAgB,SAAS,CAAC,KAAK,EAAE,aAAa,EAAE,YAAY,GAAE,WAAW,EAAO,GAAG,aAAa,CAK/F;AAED,2DAA2D;AAC3D,wBAAgB,IAAI,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,aAAa,GAAG,aAAa,CAItE;AAED,sFAAsF;AACtF,wBAAgB,SAAS,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,aAAa,GAAG,OAAO,CAMrE;AAED,6CAA6C;AAC7C,wBAAgB,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAEtD;AAED,2DAA2D;AAC3D,wBAAgB,YAAY,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,aAAa,GAAG,OAAO,CAExE;AAED,4BAA4B;AAC5B,wBAAgB,WAAW,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,aAAa,GAAG,OAAO,CAOvE;AAED,+BAA+B;AAC/B,wBAAgB,WAAW,CAAC,KAAK,EAAE,aAAa,GAAG,MAAM,CAIxD"}

package/dist/lib/ifc/label.js ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * Bell-LaPadula Security Label Lattice
+ *
+ * Full BLP model with compartments:
+ * - SecurityLevel: 0=public, 1=internal, 2=confidential, 3=highly_confidential
+ * - Compartments: secrets, credentials, pii, internal_infra
+ * - Lattice operations: join (LUB), dominates, isBottom, isComparable
+ *
+ * Label rules:
+ * - Labels only go UP (weak tranquility)
+ * - join(a, b) = max level + union compartments
+ * - dominates(a, b) = a.level >= b.level AND a.compartments ⊇ b.compartments
+ */
+export const LEVEL_NAMES = {
+    0: 'public',
+    1: 'internal',
+    2: 'confidential',
+    3: 'highly_confidential',
+};
+export const ALL_COMPARTMENTS = [
+    'secrets',
+    'credentials',
+    'pii',
+    'internal_infra',
+];
+/** The bottom of the lattice — no classification, no compartments */
+export const BOTTOM = Object.freeze({
+    level: 0,
+    compartments: Object.freeze(new Set()),
+});
+/** Create a label */
+export function makeLabel(level, compartments = []) {
+    return {
+        level,
+        compartments: new Set(compartments),
+    };
+}
+/** Least Upper Bound — max level, union of compartments */
+export function join(a, b) {
+    const level = Math.max(a.level, b.level);
+    const compartments = new Set([...a.compartments, ...b.compartments]);
+    return { level, compartments };
+}
+/** Does `a` dominate `b`? (a.level >= b.level AND a.compartments ⊇ b.compartments) */
+export function dominates(a, b) {
+    if (a.level < b.level)
+        return false;
+    for (const c of b.compartments) {
+        if (!a.compartments.has(c))
+            return false;
+    }
+    return true;
+}
+/** Is label at the bottom of the lattice? */
+export function isBottom(label) {
+    return label.level === 0 && label.compartments.size === 0;
+}
+/** Are two labels comparable? (one dominates the other) */
+export function isComparable(a, b) {
+    return dominates(a, b) || dominates(b, a);
+}
+/** Are two labels equal? */
+export function labelsEqual(a, b) {
+    if (a.level !== b.level)
+        return false;
+    if (a.compartments.size !== b.compartments.size)
+        return false;
+    for (const c of a.compartments) {
+        if (!b.compartments.has(c))
+            return false;
+    }
+    return true;
+}
+/** Format label for display */
+export function formatLabel(label) {
+    const level = LEVEL_NAMES[label.level];
+    const comps = [...label.compartments].sort().join(', ');
+    return comps ? `${level} {${comps}}` : level;
+}
+//# sourceMappingURL=label.js.map

package/dist/lib/ifc/label.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"label.js","sourceRoot":"","sources":["../../../src/lib/ifc/label.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,MAAM,CAAC,MAAM,WAAW,GAAkC;IACxD,CAAC,EAAE,QAAQ;IACX,CAAC,EAAE,UAAU;IACb,CAAC,EAAE,cAAc;IACjB,CAAC,EAAE,qBAAqB;CACzB,CAAC;AAIF,MAAM,CAAC,MAAM,gBAAgB,GAA2B;IACtD,SAAS;IACT,aAAa;IACb,KAAK;IACL,gBAAgB;CACR,CAAC;AAOX,qEAAqE;AACrE,MAAM,CAAC,MAAM,MAAM,GAAkB,MAAM,CAAC,MAAM,CAAC;IACjD,KAAK,EAAE,CAAC;IACR,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,EAAe,CAAC;CACpD,CAAkB,CAAC;AAEpB,qBAAqB;AACrB,MAAM,UAAU,SAAS,CAAC,KAAoB,EAAE,eAA8B,EAAE;IAC9E,OAAO;QACL,KAAK;QACL,YAAY,EAAE,IAAI,GAAG,CAAC,YAAY,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,IAAI,CAAC,CAAgB,EAAE,CAAgB;IACrD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAkB,CAAC;IAC1D,MAAM,YAAY,GAAG,IAAI,GAAG,CAAc,CAAC,GAAG,CAAC,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IAClF,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;AACjC,CAAC;AAED,sFAAsF;AACtF,MAAM,UAAU,SAAS,CAAC,CAAgB,EAAE,CAAgB;IAC1D,IAAI,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,QAAQ,CAAC,KAAoB;IAC3C,OAAO,KAAK,CAAC,KAAK,KAAK,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,YAAY,CAAC,CAAgB,EAAE,CAAgB;IAC7D,OAAO,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,4BAA4B;AAC5B,MAAM,UAAU,WAAW,CAAC,CAAgB,EAAE,CAAgB;IAC5D,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,CAAC,YAAY,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAC9D,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+BAA+B;AAC/B,MAAM,UAAU,WAAW,CAAC,KAAoB;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxD,OAAO,KAAK,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,KAAK,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/C,CAAC"}

package/dist/lib/ifc/session-ifc.d.ts ADDED Viewed

@@ -0,0 +1,92 @@
+/**
+ * Session IFC State — Bell-LaPadula enforcement per session
+ *
+ * Tracks the security high-water mark for each session:
+ * - Labels only go UP (weak tranquility / monotonic)
+ * - Taints accumulate and never clear
+ * - Outbound operations are checked against *-property (no write down)
+ * - Users can grant one-shot trusted-subject escalations
+ *
+ * State is in-memory, discarded on session end. New session = clean slate.
+ */
+import { type SecurityLabel, type SecurityLevel, type Compartment } from './label.js';
+export type SecurityTaint = 'secrets_detected' | 'credentials_detected' | 'pii_detected' | 'prompt_injection' | 'high_entropy_output';
+export interface LabelHistoryEntry {
+    timestamp: number;
+    previousLevel: SecurityLevel;
+    newLevel: SecurityLevel;
+    previousCompartments: Compartment[];
+    newCompartments: Compartment[];
+    trigger: string;
+}
+export interface SessionIFCState {
+    label: SecurityLabel;
+    taints: Set<SecurityTaint>;
+    outboundStepCount: number;
+    labelHistory: LabelHistoryEntry[];
+    trustedActions: Set<string>;
+    /** Permission mode registered at session start (trusted source of truth for bypass detection) */
+    permissionMode?: string;
+}
+export type OutboundChannel = 'file_write' | 'bash_network' | 'web_fetch' | 'git_commit' | 'memory_save';
+export interface WriteDownCheckResult {
+    allowed: boolean;
+    action: 'allow' | 'deny' | 'ask' | 'warn';
+    reason?: string;
+}
+export interface IFCStepLimits {
+    highly_confidential: number;
+    confidential: number;
+}
+export declare function createSessionIFC(): SessionIFCState;
+/**
+ * Raise the session label (monotonic — can only go up).
+ * Returns true if the label actually changed.
+ */
+export declare function raiseLabel(state: SessionIFCState, fileLabel: SecurityLabel, trigger: string): boolean;
+/**
+ * Add a taint to the session (accumulative, never removed).
+ */
+export declare function addTaint(state: SessionIFCState, taint: SecurityTaint, source: string): void;
+/**
+ * Grant a one-shot trusted-subject escalation.
+ * The action ID should be unique per operation (e.g., "bash:curl:step42").
+ */
+export declare function grantTrustedAction(state: SessionIFCState, actionId: string): void;
+/**
+ * Consume a trusted action (one-shot — removed after use).
+ * Returns true if the action was granted and is now consumed.
+ */
+export declare function consumeTrustedAction(state: SessionIFCState, actionId: string): boolean;
+/**
+ * Check if an outbound operation is allowed under BLP *-property.
+ *
+ * Graduated enforcement:
+ * - highly_confidential (3): deny all outbound unconditionally
+ * - confidential (2): deny if tainted, ask otherwise
+ * - internal (1): warn only
+ * - public (0): no restriction
+ *
+ * For file_write, caller must provide the destination file's label.
+ */
+export declare function checkWriteDown(state: SessionIFCState, channel: OutboundChannel, options?: {
+    destinationLabel?: SecurityLabel;
+    actionId?: string;
+    stepLimits?: Partial<IFCStepLimits>;
+}): WriteDownCheckResult;
+/**
+ * Increment outbound step counter. Call after every outbound operation.
+ */
+export declare function recordOutboundStep(state: SessionIFCState): void;
+export interface SessionIFCSummary {
+    level: SecurityLevel;
+    levelName: string;
+    compartments: Compartment[];
+    taints: SecurityTaint[];
+    outboundStepCount: number;
+    historyLength: number;
+    trustedActionsCount: number;
+    formattedLabel: string;
+}
+export declare function summarizeIFC(state: SessionIFCState): SessionIFCSummary;
+//# sourceMappingURL=session-ifc.d.ts.map

package/dist/lib/ifc/session-ifc.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session-ifc.d.ts","sourceRoot":"","sources":["../../../src/lib/ifc/session-ifc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,WAAW,EAOjB,MAAM,YAAY,CAAC;AAIpB,MAAM,MAAM,aAAa,GACrB,kBAAkB,GAClB,sBAAsB,GACtB,cAAc,GACd,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,aAAa,CAAC;IAC7B,QAAQ,EAAE,aAAa,CAAC;IACxB,oBAAoB,EAAE,WAAW,EAAE,CAAC;IACpC,eAAe,EAAE,WAAW,EAAE,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,aAAa,CAAC;IACrB,MAAM,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,iBAAiB,EAAE,CAAC;IAClC,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,iGAAiG;IACjG,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,cAAc,GACd,WAAW,GACX,YAAY,GACZ,aAAa,CAAC;AAElB,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,CAAC;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;CACtB;AAsBD,wBAAgB,gBAAgB,IAAI,eAAe,CAQlD;AAED;;;GAGG;AACH,wBAAgB,UAAU,CACxB,KAAK,EAAE,eAAe,EACtB,SAAS,EAAE,aAAa,EACxB,OAAO,EAAE,MAAM,GACd,OAAO,CA8BT;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAsB3F;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAEjF;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEtF;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,eAAe,EACtB,OAAO,EAAE,eAAe,EACxB,OAAO,GAAE;IACP,gBAAgB,CAAC,EAAE,aAAa,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;CAChC,GACL,oBAAoB,CAkGtB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,CAE/D;AAID,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,aAAa,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,WAAW,EAAE,CAAC;IAC5B,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB,CAWtE"}

package/dist/lib/ifc/session-ifc.js ADDED Viewed

@@ -0,0 +1,222 @@
+/**
+ * Session IFC State — Bell-LaPadula enforcement per session
+ *
+ * Tracks the security high-water mark for each session:
+ * - Labels only go UP (weak tranquility / monotonic)
+ * - Taints accumulate and never clear
+ * - Outbound operations are checked against *-property (no write down)
+ * - Users can grant one-shot trusted-subject escalations
+ *
+ * State is in-memory, discarded on session end. New session = clean slate.
+ */
+import { makeLabel, join, dominates, isBottom, formatLabel, BOTTOM, } from './label.js';
+const DEFAULT_STEP_LIMITS = {
+    highly_confidential: 25,
+    confidential: 100,
+};
+/** Max label history entries to keep (prevents unbounded growth in long sessions) */
+const MAX_LABEL_HISTORY = 200;
+// ─── Destination labels for outbound channels ───────────────────────
+const CHANNEL_LABELS = {
+    file_write: BOTTOM, // Overridden by actual file label at check time
+    bash_network: BOTTOM, // Network = public
+    web_fetch: BOTTOM, // Network = public
+    git_commit: BOTTOM, // Commit message = public
+    memory_save: makeLabel(1), // Internal
+};
+// ─── State management ───────────────────────────────────────────────
+export function createSessionIFC() {
+    return {
+        label: BOTTOM,
+        taints: new Set(),
+        outboundStepCount: 0,
+        labelHistory: [],
+        trustedActions: new Set(),
+    };
+}
+/**
+ * Raise the session label (monotonic — can only go up).
+ * Returns true if the label actually changed.
+ */
+export function raiseLabel(state, fileLabel, trigger) {
+    const newLabel = join(state.label, fileLabel);
+    // Check if anything changed
+    if (newLabel.level === state.label.level) {
+        // Check compartments
+        let changed = false;
+        for (const c of newLabel.compartments) {
+            if (!state.label.compartments.has(c)) {
+                changed = true;
+                break;
+            }
+        }
+        if (!changed)
+            return false;
+    }
+    // Record history (capped to prevent unbounded growth)
+    if (state.labelHistory.length < MAX_LABEL_HISTORY) {
+        state.labelHistory.push({
+            timestamp: Date.now(),
+            previousLevel: state.label.level,
+            newLevel: newLabel.level,
+            previousCompartments: [...state.label.compartments],
+            newCompartments: [...newLabel.compartments],
+            trigger,
+        });
+    }
+    state.label = newLabel;
+    return true;
+}
+/**
+ * Add a taint to the session (accumulative, never removed).
+ */
+export function addTaint(state, taint, source) {
+    if (state.taints.has(taint))
+        return;
+    state.taints.add(taint);
+    // Auto-raise label based on taint
+    switch (taint) {
+        case 'secrets_detected':
+            raiseLabel(state, makeLabel(3, ['secrets']), `taint:${taint} from ${source}`);
+            break;
+        case 'credentials_detected':
+            raiseLabel(state, makeLabel(3, ['credentials']), `taint:${taint} from ${source}`);
+            break;
+        case 'pii_detected':
+            raiseLabel(state, makeLabel(2, ['pii']), `taint:${taint} from ${source}`);
+            break;
+        case 'prompt_injection':
+            // Injection doesn't change label, but taints the session
+            break;
+        case 'high_entropy_output':
+            raiseLabel(state, makeLabel(2, ['secrets']), `taint:${taint} from ${source}`);
+            break;
+    }
+}
+/**
+ * Grant a one-shot trusted-subject escalation.
+ * The action ID should be unique per operation (e.g., "bash:curl:step42").
+ */
+export function grantTrustedAction(state, actionId) {
+    state.trustedActions.add(actionId);
+}
+/**
+ * Consume a trusted action (one-shot — removed after use).
+ * Returns true if the action was granted and is now consumed.
+ */
+export function consumeTrustedAction(state, actionId) {
+    return state.trustedActions.delete(actionId);
+}
+// ─── *-Property enforcement (no write down) ─────────────────────────
+/**
+ * Check if an outbound operation is allowed under BLP *-property.
+ *
+ * Graduated enforcement:
+ * - highly_confidential (3): deny all outbound unconditionally
+ * - confidential (2): deny if tainted, ask otherwise
+ * - internal (1): warn only
+ * - public (0): no restriction
+ *
+ * For file_write, caller must provide the destination file's label.
+ */
+export function checkWriteDown(state, channel, options = {}) {
+    // If session is at bottom (clean), always allow
+    if (isBottom(state.label)) {
+        return { allowed: true, action: 'allow' };
+    }
+    // Check one-shot trusted action (consumed on use — delete, not has)
+    if (options.actionId && state.trustedActions.delete(options.actionId)) {
+        return {
+            allowed: true,
+            action: 'allow',
+            reason: 'Trusted action granted by user (one-shot, now consumed)',
+        };
+    }
+    // Determine destination label
+    const destLabel = channel === 'file_write' && options.destinationLabel
+        ? options.destinationLabel
+        : CHANNEL_LABELS[channel];
+    // For file_write: check if destination dominates session (standard BLP)
+    if (channel === 'file_write' && options.destinationLabel) {
+        if (dominates(options.destinationLabel, state.label)) {
+            // Writing to equal or higher classification — always OK
+            return { allowed: true, action: 'allow' };
+        }
+    }
+    // Graduated enforcement by session level
+    const limits = { ...DEFAULT_STEP_LIMITS, ...options.stepLimits };
+    if (state.label.level === 3) {
+        // Highly confidential: deny all outbound (except file_write to same/higher level)
+        if (state.outboundStepCount >= limits.highly_confidential) {
+            return {
+                allowed: false,
+                action: 'deny',
+                reason: `Session has read highly confidential data (step limit ${limits.highly_confidential} reached). ` +
+                    `All outbound operations blocked. Session label: ${formatLabel(state.label)}`,
+            };
+        }
+        return {
+            allowed: false,
+            action: 'deny',
+            reason: `Session has read highly confidential data. ` +
+                `${channel} to ${formatLabel(destLabel)} blocked (no write down). ` +
+                `Session label: ${formatLabel(state.label)}`,
+        };
+    }
+    if (state.label.level === 2) {
+        // Confidential: deny if tainted, ask otherwise
+        if (state.taints.size > 0) {
+            return {
+                allowed: false,
+                action: 'deny',
+                reason: `Session is confidential + tainted (${[...state.taints].join(', ')}). ` +
+                    `${channel} blocked. Session label: ${formatLabel(state.label)}`,
+            };
+        }
+        if (state.outboundStepCount >= limits.confidential) {
+            return {
+                allowed: false,
+                action: 'ask',
+                reason: `Session has read confidential data (step limit ${limits.confidential} approaching). ` +
+                    `${channel} requires approval. Session label: ${formatLabel(state.label)}`,
+            };
+        }
+        return {
+            allowed: false,
+            action: 'ask',
+            reason: `Session has read confidential data. ` +
+                `${channel} to ${formatLabel(destLabel)} requires approval (no write down). ` +
+                `Session label: ${formatLabel(state.label)}`,
+        };
+    }
+    if (state.label.level === 1) {
+        // Internal: warn only (don't block)
+        return {
+            allowed: true,
+            action: 'warn',
+            reason: `Session has read internal data. ` +
+                `${channel} allowed but noted. Session label: ${formatLabel(state.label)}`,
+        };
+    }
+    // Level 0 (public) — no restriction
+    return { allowed: true, action: 'allow' };
+}
+/**
+ * Increment outbound step counter. Call after every outbound operation.
+ */
+export function recordOutboundStep(state) {
+    state.outboundStepCount++;
+}
+export function summarizeIFC(state) {
+    return {
+        level: state.label.level,
+        levelName: formatLabel(state.label).split(' ')[0],
+        compartments: [...state.label.compartments],
+        taints: [...state.taints],
+        outboundStepCount: state.outboundStepCount,
+        historyLength: state.labelHistory.length,
+        trustedActionsCount: state.trustedActions.size,
+        formattedLabel: formatLabel(state.label),
+    };
+}
+//# sourceMappingURL=session-ifc.js.map